The expose_php setting is an option, something each admin can make their
own mind upon. Some will prefer not to waste bandwidth and tell the
world what they are running, while others prefer to advertise PHP.
Either approach is fine, but from security perspective you want to tell
a potential attacker as little information as possible.

> I don't think it would reduce the number of attacks turning the
> version information off. But it would be more cumbersome to help
> people with php issues as the php version is not directly available.

This is simply not true, when a bug comes in we ask the user to specify
the version, we don't go looking for their server and checking their
version. Old versions of PHP have security holes, a directed attack
against only the vulnerable servers would be much harder to spot and
take far fewer resources to execute.

Ilia    

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to